Hosting Provided By

RE: forbidden functions on client-side scripts

From: Uzi Refaeli <uzix(at)dotomi.com>
Date: Thu Dec 12 2002 - 02:12:19 EST

what do you mean by internal clients?
and in which step of the way are these programs do the filtering?

Uzi Refaeli
Dotomi
972-52-564496

-----Original Message-----
From: Shimon Silberschlag [mailto:shimons@bll.co.il] Sent: Wednesday, December 11, 2002 7:06 PM To: webappsec@securityfocus.com
Subject: forbidden functions on client-side scripts

Some products that are used as content filters for the HTTP traffic used by internal users, have the ability to block certain "dangerous" functions used on client side scripts from getting to the internal client. Attached is the default function list used by such a product. Since I'm not a programmer, can someone tell me if this list is complete/overkill/lacking and what other functions that are dangerous/benign should I consider adding/dropping from the list. The list is given for VBscript and Javascript separately.

[VB SCRIPT]

Forbidden
words=CreateObject,GetParentFolderName,GetFolder,GetExtensionName,File Exist,
GetSpecialFolder,GetFile,Replace,DriveType,ExpandEnviromentString,Open textfile,CreateTextRange,
OpenAsTextStream,DeleteFile,CopyFile,RegWrite

[JAVA SCRIPT]

Forbidden
words=CreateObject,ActiveXobject,GetParentFolderName,GetFolder,GetExte nsionName,Replace,Opentextfile,DeleteFile,CopyFile,RegWrite

TIA, Shimon Silberschlag

+972-3-9352785
+972-51-207130 Received on Thu Dec 12 02:13:24 2002

Do you need help?

This message: [ Message body ]
Next message: David Simcik: "Web Application Analysis Tools?"
Previous message: Matthew Miller: "Re: XSS"
Maybe in reply to: Shimon Silberschlag: "forbidden functions on client-side scripts"
Reply: Alonso Robles: "Re: forbidden functions on client-side scripts"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:46 EDT